Access rights database design

Question 1

Your first option is not as flexible as it could be and your second option is not as managable as it could be.

The standard pattern for access control is called Role Based Security. As both the number of users and the number of different types of permissions you need grows, the management of your user-to-permissions links can become increasingly difficult.

For example, if you have five administrators and fifty users, how do you keep the permissions of each group in synch? When one of your users is promoted to an administrator, how many edits do you need to make? The answer is to create two intersections: users-to-roles and roles-to-permissions.

ERD

Question 2

Option 1 is fine for simple systems. One query, gives you one row with all the info you need. This is very efficient. Efficiency is 'good'. And it might even qualify as 'better' for your needs.

Option 2 is great if the action rights are very likely to be expanded over time in an unpredictable way, and be used by essentially isolated modules looking to confirm user has access only to their unique subsystem. It is more complex in that a 'join' must be performed if retrieving both actor and access info simultaneously. But I like joins so I won't say inefficient too loudly and DBS are built to be good at them. Use indexes wisely and they are just fine.

Using link tables is more complex from a coding standpoint. You have segregated your data and must therefore write more complex code that deals with each disparate piece of it. However I personally believe this to be 'good' complexity in that each unique piece of data has its own unique piece(s) of dependent code. Allows for modularity and unary encapsulation of functionality.

Question 3

I think in most circumstances solution #2 is much better. I would discard the "isallowed" flag in that solution and only insert the given rights of a user into the rights table.